APM replacing ADFS proxy 3.0 : different behavior based on user agent value
Hi, I am deploying F5 APM as ADFS proxy using deployment guide v1.4. I configured AD auth and NTLM SSO. when authenticating with firefox, SSO does not work and ADFS server request form based authentication (it is my default test browser and I did not try with IE). I searched on devcentral if there is anything else to configure to support ADFS 3.0. I found this article about configuring form based authentication on ADFS server. To support ADFS proxy for any browser, I customized the irule provided in the deployment guide like that: when HTTP_REQUEST { set keepua 0 For external Lync client access all external requests to the /trust/mex URL must be routed to /trust/proxymex. Analyze and modify the URI where appropriate HTTP::uri [string map {/trust/mex /trust/proxymex} [HTTP::uri]] Analyze the HTTP request and disable access policy enforcement WS-Trust calls if {[HTTP::uri] contains "/adfs/services/trust"} { ACCESS::disable set keepua 1 } OPTIONAL ---- To allow publishing of the federation service metadata if {[HTTP::uri] ends_with "FederationMetadata/2007-06/FederationMetadata.xml"} { ACCESS::disable set keepua 1 } if { !($keepua) } { HTTP::header replace "User-Agent" "Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko msie7" } } it replace the client user agent by one supported by ADFS server for NTLM auth. Am I the first who get this error? is there a better solution to solve this issue? Regards, Stanislas380Views0likes2CommentsADFS 3.0 monitor for ADFS Proxy servers on LTM 11.6 HF3
We are load balancing ADFS 3.0 Proxy servers, but cannot get the monitor to work. The external script provided by F5 is as follows: !/bin/sh These arguments supplied automatically for all external monitors: $1 = IP (nnn.nnn.nnn.nnn notation) $2 = port (decimal, host byte order) This script expects the following Name/Value pairs: HOST = the host name of the SNI-enabled site URI = the URI to request RECV = the expected response Remove IPv6/IPv4 compatibility prefix (LTM passes addresses in IPv6 format) NODE=`echo ${1} | sed 's/::ffff://'` if [[ $NODE =~ ^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$ ]]; then NODE=${NODE} else NODE=[${NODE}] fi PORT=${2} PIDFILE="/var/run/`basename ${0}`.sni_monitor_${HOST}_${PORT}_${NODE}_sni.pid" if [ -f $PIDFILE ] then echo "EAV exceeded runtime needed to kill ${HOST}:${PORT}:${NODE}" | logger -p local0.error kill -9 `cat $PIDFILE` > /dev/null 2>&1 fi curl-apd -k -v --resolve $HOST:$PORT:$NODE https://$HOST$URI 2>&1 > /dev/null | grep -i "${RECV}" STATUS=$? rm -f $PIDFILE if [ $STATUS -eq 0 ] then echo "UP" fi exit I can ssh into the F5 and get a good response when I hard-code the values: config curl-apd -k -v --resolve adfs.abc.edu:443:10.255.200.201 https://adfs.abc.edu/FederationMetadata/2007-06/FederationMetadata.xml 2>&1 > /dev/null | grep -i "HTTP/1.1 200 OK" < HTTP/1.1 200 OK Is there a way on the command line to see what variables are actually being used or maybe a way to log their values? I wonder if it is not correctly pulling the $NODE or $PORT values. As an experiment I also changed [ $STATUS -eq 0 ] to [ $STATUS eq 0 ] just to see if the monitor would come up and that did not help either. Thanks, Rob288Views0likes1Commentadfs 3.0 and APM O365
We are in the early stages of the design of an adfs 3.0 implementation, and we would like to use APM to provide the functionality of the adfs proxy in our dmz. According to this article https://devcentral.f5.com/articles/big-ip-and-adfs-part-2-ndash-ldquoapmndashan-alternative-to-the-adfs-proxyrdquo It should work. However this document says that ssl termination is not an option: https://blogs.technet.microsoft.com/applicationproxyblog/2014/07/04/ssl-termination-with-web-application-proxy-and-ad-fs-2012-r2/ It is still unclear to me regarding the full ecosystem, but from what I gather a sticking point might be activesync, as the authentication for activesync will be proxied from the cloud to our adfs, and a client certificate of o365 might need to be passed to the backend adfs servers. Can anyone speak of replacing the wap/adfs proxy in adfs 3.0 implementation with F5 apm, and any possible sticking points that they have experienced? Terry326Views0likes5CommentsADFS 3.0 nodes up/down
I am fairly new to the Big-IP platform, so forgive me if there is an obvious answer to this.... I am on 11.3 and attempting load balancing ADFS 3.0. I wasn't having luck with SNI monitor then I realized it's not supported fro 3.0 until 11.4.1. That being the case, I configured TCP monitors instead until we can upgrade to >11.4.1, hoping to get this working. I am still having issues, however. My nodes will appear online for a period of time and everything seems fine. Then they will go offline for awhile then back online again. Does any one have any suggestions? I am at a loss. Thanks Richie171Views0likes0Comments